ci: drop dead docker.io from straw-build image
Publish moved off the host docker socket to a rootless SSH forced-command on Lucy (#444), so the docker CLI in the build image is now unused. Keep openssh-client (the publish step ssh's the signed APK to the host).
This commit is contained in:
parent
e11cc6a854
commit
14d38b27e4
1 changed files with 6 additions and 4 deletions
|
|
@ -59,11 +59,13 @@ RUN java -version && cargo --version && cargo ndk --version || true \
|
||||||
&& test -d "$ANDROID_SDK_ROOT/build-tools/36.0.0"
|
&& test -d "$ANDROID_SDK_ROOT/build-tools/36.0.0"
|
||||||
|
|
||||||
# Publish tooling (appended last so the heavy toolchain layers stay cached):
|
# Publish tooling (appended last so the heavy toolchain layers stay cached):
|
||||||
# docker CLI to talk to the runner's host socket for the fdroid steps, and
|
# openssh-client only. The gated publish step hands the signed APK over SSH to a
|
||||||
# openssh-client to stream the signed repo to Rackham. The build steps don't
|
# rootless forced-command on the Lucy host, which verifies the signer and re-signs
|
||||||
# touch the socket; only the gated publish step does.
|
# the fdroid index on-host. No docker CLI / host socket is involved any more — the
|
||||||
|
# old docker.io dependency was dropped once publish moved off the host docker
|
||||||
|
# socket (#444 rootless hardening).
|
||||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||||
docker.io openssh-client \
|
openssh-client \
|
||||||
&& rm -rf /var/lib/apt/lists/*
|
&& rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
# The signing keystore is NOT baked — it's injected per-build from the Forgejo
|
# The signing keystore is NOT baked — it's injected per-build from the Forgejo
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue